Microsoft released security advisory 2501696, titled “Vulnerability in MHTML Could Allow Information Disclosure” today. The advisory addresses a flaw in the MHTML protocol handler which opens all versions of Windows to potential cross-site scripting (XSS) attacks.
The Microsoft Security Response Center (MSRC) blog explains how an attack might work in more detail once a user receives a malicious link targeting this vulnerability. “When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., e-mail), spoof content displayed in the browser, or otherwise interfere with the user’s experience.”
Jim Walter, manager of the McAfee Threat Intelligence Service for McAfee Labs, does not believe this is a serious threat–at least not imminently. “The scope and impact is relatively limited compared to other recent zero-day vulnerabilities. Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts (in the context of the clients IE session), as well as the disclosure of sensitive information.”
Andrew Storms, director of security operations for nCircle, e-mailed the following comments. “At first glance today’s advisory looks grim because it affects every supported Windows platform. However, even though the proof of concept code is public, carrying out an attack using this complicated cross site scripting-like bug will not be easy,” adding, “Because of this, attacks are probably not imminent but users should still follow the mitigation advice in the advisory.
The MSRC blog suggests following the mitigation advice in the security advisory. “The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists.”
Kandek provides some incentive for using a browser other than Internet Explorer. “While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.”